* [PATCH v3] 3c59x: Fix memory leaks in vortex_open @ 2014-12-23 2:54 Jia-Ju Bai 2014-12-23 14:24 ` Neil Horman 0 siblings, 1 reply; 7+ messages in thread From: Jia-Ju Bai @ 2014-12-23 2:54 UTC (permalink / raw) To: davem, nhorman, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden Cc: netdev, Jia-Ju Bai For linux-3.18.0 The driver calls __netdev_alloc_skb in vortex_open but lacks dev_kfree_skb when vortex_up is failed, so memory leaks may occur in this situation. This patch fixes this problem. Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com> --- drivers/net/ethernet/3com/3c59x.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c index 41095eb..d0c5bee 100644 --- a/drivers/net/ethernet/3com/3c59x.c +++ b/drivers/net/ethernet/3com/3c59x.c @@ -1782,6 +1782,16 @@ vortex_open(struct net_device *dev) if (!retval) goto out; + if (vp->full_bus_master_rx) { + for (i = 0; i < RX_RING_SIZE; i++) { + if (vp->rx_skbuff[i]) { + dev_kfree_skb(vp->rx_skbuff[i]); + vp->rx_skbuff[i] = NULL; + } + } + retval = -ENOMEM; + } + err_free_irq: free_irq(dev->irq, dev); err: -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v3] 3c59x: Fix memory leaks in vortex_open 2014-12-23 2:54 [PATCH v3] 3c59x: Fix memory leaks in vortex_open Jia-Ju Bai @ 2014-12-23 14:24 ` Neil Horman 2014-12-23 15:00 ` Jia-Ju Bai 0 siblings, 1 reply; 7+ messages in thread From: Neil Horman @ 2014-12-23 14:24 UTC (permalink / raw) To: Jia-Ju Bai Cc: davem, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden, netdev On Tue, Dec 23, 2014 at 10:54:50AM +0800, Jia-Ju Bai wrote: > For linux-3.18.0 > The driver calls __netdev_alloc_skb in vortex_open but lacks dev_kfree_skb > when vortex_up is failed, so memory leaks may occur in this situation. > This patch fixes this problem. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com> > --- > drivers/net/ethernet/3com/3c59x.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c > index 41095eb..d0c5bee 100644 > --- a/drivers/net/ethernet/3com/3c59x.c > +++ b/drivers/net/ethernet/3com/3c59x.c > @@ -1782,6 +1782,16 @@ vortex_open(struct net_device *dev) > if (!retval) > goto out; > > + if (vp->full_bus_master_rx) { > + for (i = 0; i < RX_RING_SIZE; i++) { > + if (vp->rx_skbuff[i]) { > + dev_kfree_skb(vp->rx_skbuff[i]); > + vp->rx_skbuff[i] = NULL; > + } > + } > + retval = -ENOMEM; > + } > + > err_free_irq: > free_irq(dev->irq, dev); > err: > -- > 1.7.9.5 > > > This doesn't make sense. We free all the skbs in vortex_open if we don't allocate all of them (the if (i != RX_RING_SIZE) check), the only place we miss is if vortex_up fails, and you didn't remove the if (!retval) goto out check, so this code won't get run appropriately. That said, it does seem we need to clean up if vortex_up fails, but it would seem to me to be easier to just call vortex_close if it does, since that will do all of the approriate cleanup. Neil ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3] 3c59x: Fix memory leaks in vortex_open 2014-12-23 14:24 ` Neil Horman @ 2014-12-23 15:00 ` Jia-Ju Bai 2014-12-23 15:43 ` Neil Horman 0 siblings, 1 reply; 7+ messages in thread From: Jia-Ju Bai @ 2014-12-23 15:00 UTC (permalink / raw) To: Neil Horman Cc: davem, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden, netdev Thanks for the reply! > This doesn't make sense. We free all the skbs in vortex_open if we don't > allocate all of them (the if (i != RX_RING_SIZE) check), the only place we miss > is if vortex_up fails, and you didn't remove the if (!retval) goto out check, so > this code won't get run appropriately. In the code, when vortex_up is failed and does not returns 0, "if (!retval)" is failed and "goto out" is not executed, so error handling code below is executed, including my added code. Is it right? > > That said, it does seem we need to clean up if vortex_up fails, but it would > seem to me to be easier to just call vortex_close if it does, since that will do > all of the approriate cleanup. > > Neil > In the code, vortex_close does too many releasing operations, such as free vp->tx_skbuff, but vortex_open only allocates memory for vp->rx_skbuff before vortex_up is called. So I think it is enough to just free the memory of vp->rx_skbuff when vortex_up is failed. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3] 3c59x: Fix memory leaks in vortex_open 2014-12-23 15:00 ` Jia-Ju Bai @ 2014-12-23 15:43 ` Neil Horman 2014-12-24 2:12 ` Jia-Ju Bai 0 siblings, 1 reply; 7+ messages in thread From: Neil Horman @ 2014-12-23 15:43 UTC (permalink / raw) To: Jia-Ju Bai Cc: davem, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden, netdev On Tue, Dec 23, 2014 at 11:00:01PM +0800, Jia-Ju Bai wrote: > Thanks for the reply! > > >This doesn't make sense. We free all the skbs in vortex_open if we don't > >allocate all of them (the if (i != RX_RING_SIZE) check), the only place we miss > >is if vortex_up fails, and you didn't remove the if (!retval) goto out check, so > >this code won't get run appropriately. > > In the code, when vortex_up is failed and does not returns 0, > "if (!retval)" is failed and "goto out" is not executed, so error handling > code > below is executed, including my added code. > Is it right? > Yup, you're right, I missed the sense of the check. > > > >That said, it does seem we need to clean up if vortex_up fails, but it would > >seem to me to be easier to just call vortex_close if it does, since that will do > >all of the approriate cleanup. > > > >Neil > > > > In the code, vortex_close does too many releasing operations, such as free > vp->tx_skbuff, but vortex_open only allocates memory for vp->rx_skbuff > before > vortex_up is called. > So I think it is enough to just free the memory of vp->rx_skbuff when > vortex_up > is failed. > No, I don't think so. vortex_close predicates each free with a NULL check, so if its not been allocated, it shouldn't be freed. vortex_close also puts the adapter back into a known state (undoing all the setup that vortex_open does). I really think its better to go with the proper close path than just unwinding the allocation Neil > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3] 3c59x: Fix memory leaks in vortex_open 2014-12-23 15:43 ` Neil Horman @ 2014-12-24 2:12 ` Jia-Ju Bai 2014-12-24 3:27 ` Neil Horman 0 siblings, 1 reply; 7+ messages in thread From: Jia-Ju Bai @ 2014-12-24 2:12 UTC (permalink / raw) To: Neil Horman Cc: davem, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden, netdev On 12/23/2014 11:43 PM, Neil Horman wrote: > No, I don't think so. vortex_close predicates each free with a NULL check, so > if its not been allocated, it shouldn't be freed. vortex_close also puts the > adapter back into a known state (undoing all the setup that vortex_open does). > I really think its better to go with the proper close path than just unwinding > the allocation > > Neil > Firstly, I run my match on the real hardware(3com 3c905B 100Base PCI Ethernet Controller) and make vortex_up failed on purpose (make "pci_enable_device" in vortex_up failed). During runtime, the driver works well and memory leaks are fixed. Secondly, I revise the code according to your opinion: retval = vortex_up(dev); if (!retval) goto out; + vortex_close(dev); + return -ENOMEM; Then I repeat my experiment, but system hang occurs! After adding some "printk"s into the code and running the driver, I find the problem's source: vortex_close calls vortex_down in runtime, and vortex_down calls "del_timer_sync(&vp->rx_oom_timer);" in the code. However, I make "pci_enable_device" failed in vortext_up to let vortex_up return an error code directly, but "vp->rx_oom_timer" is initialized only by "init_timer" after "pci_enable_device". Thus when "del_timer_sync(&vp->rx_oom_timer);" is called in vortex_down, a null dereference may occur. Moreover, only "pci_enable_device" can make vortex_up failed. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3] 3c59x: Fix memory leaks in vortex_open 2014-12-24 2:12 ` Jia-Ju Bai @ 2014-12-24 3:27 ` Neil Horman 2014-12-24 4:10 ` David Miller 0 siblings, 1 reply; 7+ messages in thread From: Neil Horman @ 2014-12-24 3:27 UTC (permalink / raw) To: Jia-Ju Bai Cc: davem, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden, netdev On Wed, Dec 24, 2014 at 10:12:58AM +0800, Jia-Ju Bai wrote: > On 12/23/2014 11:43 PM, Neil Horman wrote: > >No, I don't think so. vortex_close predicates each free with a NULL check, so > >if its not been allocated, it shouldn't be freed. vortex_close also puts the > >adapter back into a known state (undoing all the setup that vortex_open does). > >I really think its better to go with the proper close path than just unwinding > >the allocation > > > >Neil > > > > Firstly, I run my match on the real hardware(3com 3c905B 100Base > PCI Ethernet Controller) and make vortex_up failed on purpose > (make "pci_enable_device" in vortex_up failed). During runtime, the driver > works well and memory leaks are fixed. > > Secondly, I revise the code according to your opinion: > > retval = vortex_up(dev); > if (!retval) > goto out; > > + vortex_close(dev); > + return -ENOMEM; > > Then I repeat my experiment, but system hang occurs! > > After adding some "printk"s into the code and running the driver, I find > the problem's source: > vortex_close calls vortex_down in runtime, and vortex_down calls > "del_timer_sync(&vp->rx_oom_timer);" in the code. However, I make > "pci_enable_device" failed in vortext_up to let vortex_up return an > error code directly, but "vp->rx_oom_timer" is initialized only by > "init_timer" after "pci_enable_device". Thus when > "del_timer_sync(&vp->rx_oom_timer);" is called in vortex_down, > a null dereference may occur. > Moreover, only "pci_enable_device" can make vortex_up failed. > > Sooo, fix it. Add some checks to not delete the timer if its not been initalized. Its really preferable to have a single teardown path and a single bringup path if at all possible Neil ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3] 3c59x: Fix memory leaks in vortex_open 2014-12-24 3:27 ` Neil Horman @ 2014-12-24 4:10 ` David Miller 0 siblings, 0 replies; 7+ messages in thread From: David Miller @ 2014-12-24 4:10 UTC (permalink / raw) To: nhorman Cc: baijiaju1990, ebiederm, dingtianhong, paul.gortmaker, justinvanwijngaarden, netdev From: Neil Horman <nhorman@tuxdriver.com> Date: Tue, 23 Dec 2014 22:27:28 -0500 > Sooo, fix it. Add some checks to not delete the timer if its not been > initalized. Its really preferable to have a single teardown path and a single > bringup path if at all possible Or simply have vortex_up() initialize the two timers before it does anything else. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-12-24 4:10 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-12-23 2:54 [PATCH v3] 3c59x: Fix memory leaks in vortex_open Jia-Ju Bai 2014-12-23 14:24 ` Neil Horman 2014-12-23 15:00 ` Jia-Ju Bai 2014-12-23 15:43 ` Neil Horman 2014-12-24 2:12 ` Jia-Ju Bai 2014-12-24 3:27 ` Neil Horman 2014-12-24 4:10 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).